Abstract

Background: There is very little data about how often contemporary malware communicates with the Internet and how essential this communication is for malware’s functionality.
Aim: We aim to quantify what fraction of contemporary malware samples are environment-sensitive and will exhibit very few behaviors when analyzed under full containment. We then seek to understand the purpose of the malware’s use of communication channel and if malware communication patterns could be used to understand its purpose.
Method. We analyze malware communication behavior by running contemporary malware samples on bare-metal machines in the DeterLab testbed, either in full containment or with some limited connectivity, and recording and analyzing all their network traffic. We carefully choose which communication to allow, and we monitor all connections that are let into the Internet. This way we can guarantee safety to Internet hosts, while exposing interesting malware behaviors that do not show under full containment.
Results. We find that 58% of samples exhibit some network activity within the first five minutes of running. We further find that 78% of these samples exhibit more network behaviors when ran under our limited containment, than when ran under full containment, which means that 78% of samples are environment-sensitive. Most common communication patterns involve DNS, ICMP ECHO and HTTP traffic toward mostly nonpublic destinations. Likely purpose of this traffic is botnet command and control. We further show that malware’s network behaviors can be used to determine its purpose with 85–89% accuracy.
Conclusions …

Date

September 12, 2025

Authors

Xiyue Deng, Hao Shi, Jelena Mirkovic

Conference

The LASER Workshop: Learning from Authoritative Security Experiment Results (LASER 2017)

Pages

1-11